Privacy Policy

Last updated: May 1, 2026

1. Overview

B-Roll Me ("the Software") is a desktop application. Your privacy matters to us. This policy explains what data the Software handles and how.

2. Data Storage

B-Roll Me stores all data locally on your computer in a SQLite database. This includes:

  • Your video scripts and project data
  • AI analysis results (moments, evaluations)
  • YouTube search results and cached transcripts
  • Your API keys (stored locally, never transmitted to us)
  • App settings and preferences

We do not have access to your local database. The only data the app sends back to our infrastructure is the anonymous, opt-out-able analytics envelope described in §4.

3. Data Transmitted to Third Parties

When you use B-Roll Me, certain data is sent to third-party services as part of normal functionality:

  • AI Providers (Anthropic, OpenAI, Google, OpenRouter): Your script text and search result data are sent to whichever AI provider you configure for analysis and evaluation. This data is transmitted directly from your computer to the provider's API using your API key. Refer to each provider's privacy policy for how they handle API data.
  • YouTube: Search queries and video IDs are sent to YouTube when searching for clips and fetching transcripts. This uses the InnerTube protocol.
  • Lemon Squeezy: License validation requests are sent to Lemon Squeezy. This includes your license key and basic device information for activation purposes.
  • Update Server: The app periodically checks for updates. This sends your current version number and platform to our update server.
  • Analytics & Crash Reporting (Vercel Analytics, PostHog Cloud, Sentry, our analytics worker): When the analytics toggle is enabled (it is on by default and can be disabled in Settings → Privacy), the app sends the anonymous events catalogued in §4 to our analytics worker (which writes them to a Supabase events table) and to PostHog Cloud. Crash reports go to Sentry with PII scrubbed before send. The marketing website also loads Vercel Analytics for aggregate, cookie-less page-view counts.

4. Anonymous Usage Analytics

B-Roll Me sends a small amount of anonymous usage data to help us understand which features are used and prioritize improvements. The canonical, code-level source of truth for this list lives at docs/analytics-events.md in our repository, and any change there must be mirrored here in the same pull request.

4.1 Identity

Every event is keyed by an install_id — a UUID generated on first launch and stored only in your local SQLite database. It is not tied to any account, license key, email address, phone number, or device fingerprint. Reinstalling the app or wiping its data directory generates a new install_id. The analytics worker also stores a salted SHA-256 hash of the caller IP (ip_hash) for abuse detection; the salt rotates quarterly and the raw IP is never persisted.

4.2 Common envelope

Every event carries the same envelope fields:

  • install_id — the anonymous UUID described above.
  • event_name — one of the names listed in §4.4.
  • app_version — the running app version, e.g. 1.4.2.
  • os, os_version, arch — coarse OS info from Tauri's OS plugin (e.g. macos / 14.4 / aarch64). No hostname, username, or device serial.
  • client_ts — an ISO 8601 timestamp at emit time.
  • properties — a small JSON object whose contents are listed per-event in §4.4.

4.3 What we never collect

The following are explicitly out of scope for any analytics event — today or in the future:

  • Script text, project names, or any user-authored content
  • YouTube video URLs, video IDs, video titles, or channel names
  • Search queries (the strings you or the LLM generated)
  • Transcript text or transcript matches
  • File system paths, output directories, or file names
  • API keys, license keys, license instance IDs, or browser cookies
  • Email addresses, phone numbers, raw IP addresses, or MAC addresses
  • The values of any settings field (we send only the key name for settings_changed)
  • Free-form error messages from third-party APIs (errors are classified into a bounded enum like auth | rate_limit | server | network | unknown)
  • Device serial numbers, hostnames, or OS usernames

4.4 Event catalogue

This is the complete list of analytics events the app emits. The shape and intent of each property is described inline.

app_first_launch

Fired exactly once, on the first launch after install. No properties.

app_launched

Fired on every app launch. No properties.

onboarding_completed

Fired when the onboarding walkthrough finishes.

  • step_count — total number of onboarding steps in this build.

script_analyzed

Fired when the LLM "Analyze script" call completes (success or failure).

  • script_word_count — integer count only; the script text is never sent.
  • model — resolved model id in provider:model_id form.
  • moments_returned — count of B-Roll moments produced.
  • duration_ms — wall-clock duration in milliseconds.
  • error_kind (failure path only) — one of auth, rate_limit, server, network, unknown. Never the raw error message.

moment_searched

Fired after a YouTube search completes for a single moment.

  • results_returned — count of unique videos returned.
  • queries_run — how many search queries were executed for the moment.
  • duration_ms — wall-clock duration in milliseconds.
  • error_kind (failure path only) — one of auth, network, unknown. The actual queries and video IDs are never sent.

moment_evaluated

Fired after the LLM scoring pass for a moment completes.

  • clips_evaluated — count of clips returned with a score.
  • model — resolved model id in provider:model_id form.
  • duration_ms — wall-clock duration in milliseconds.
  • error_kind (failure path only) — one of auth, rate_limit, server, network, unknown.

clip_downloaded

Fired after a successful download.

  • duration_seconds — clip segment length. The video URL, title, ID, and on-disk path are never sent.
  • formatmp4 or webm.
  • resolution720, 1080, or best.

clip_download_failed

Fired when a download exits non-zero (and was not cancelled by the user).

  • error_kind — one of network, cookies, auth, yt_dlp, cancelled, unknown. Raw stderr is never sent.

project_created

Fired when a new project is created. No properties — the project name is never sent.

settings_changed

Fired whenever a setting is written.

  • key — the setting key only (e.g. video_format). The value is never sent.

trial_started

Fired the first time a fresh trial begins. No properties.

trial_expired

Fired the first time the trial transitions to expired. No properties.

download_clicked (website only)

Fired when a visitor clicks a download button on b-roll.me. Reported to Vercel Analytics.

  • platform (optional) — the platform tag of the clicked button (e.g. mac-arm).

website_download_started (website only)

Synthesized server-side by our analytics worker before redirecting to the actual installer. Uses an hour-bucketed synthetic install id derived from a hashed IP.

  • platform — the platform segment from the URL (e.g. mac-arm).
  • synthetic_install_id — always true, so this can be filtered out of cohort analyses.

4.5 Third parties & data retention

Analytics events are processed by the following services. Each receives the same anonymous envelope described above:

  • Our analytics worker (Cloudflare) → Supabase events table. Hosted by us at dl.b-roll.me. Only the service role can read this table; row-level security blocks public access. Retention: indefinite for now — we plan to add a TTL purge in a later release. Until then, every row remains available for our own aggregate analyses.
  • PostHog Cloud (US region). Used for product analytics dashboards and funnels. Autocapture, page-view capture, and session replay are all disabled. Retention: PostHog's project default.
  • Vercel Analytics. Loaded only by the marketing website at b-roll.me, never by the desktop app. Vercel Analytics is privacy-friendly: aggregated, no cookies, no cross-site tracking. The desktop app does not contact Vercel Analytics.
  • Sentry. Receives crash and error reports only — not the events listed above. Before a payload is sent, the app removes any object key whose name matches script / api key / cookie / email / path / filename / video title / url, and truncates strings longer than 500 characters. Default PII collection is off. Retention: 30 days.

4.6 Opt out

Anonymous usage analytics are entirely optional. You can disable them in any of the following ways:

  • Open Settings → Privacy in the desktop app and turn off "Send anonymous usage analytics". The toggle takes effect immediately and shuts down PostHog for the current session.
  • Set the DO_NOT_TRACK=1 environment variable (or VITE_DO_NOT_TRACK=1 when building from source) before launching the app. This suppresses both the analytics worker and PostHog.
  • Set your browser or OS to send the standard DNT ("Do Not Track") signal. The app honors it.

5. Website

The b-roll.me website uses Vercel Analytics for aggregate, cookie-less page-view counts and the download_clicked event documented in §4.4. It does not set tracking cookies. Because no cookies are placed and no personally identifying information is collected, no cookie consent banner is displayed.

6. API Key Security

Your API keys are stored in a local SQLite database on your computer. They are never transmitted to our servers and they are explicitly listed in §4.3 as something we will never include in analytics. API calls are made directly from your machine to the respective provider's API endpoints.

7. Data Retention

Locally stored project data lives entirely in your app data directory. Deleting the app or its data directory removes all stored information. Individual projects can be deleted from within the app. Retention for the anonymous analytics pipelines is detailed in §4.5: Sentry holds error events for 30 days, PostHog uses its project default, and the Supabase events table is retained indefinitely until a future TTL purge ships.

8. Children's Privacy

B-Roll Me is not directed to children under 13. We do not knowingly collect personal information from children.

9. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated date.

10. Contact

For privacy-related questions, contact us at support@b-roll.me.